The importance of security
Any company with a significant online presence has most likely faced a cyber attack, whether they’re aware of it or not. For e-commerce specifically, the cost of a cyber attack can be very high, in terms of direct costs through revenue and infrastructure usage from the attack. as well as indirect costs attributed to brand loss and resources it takes to overcome an attack.
Cyber attacks occur in many ways – denial of service (DoS) attacks that try to bring down websites to deny users from accessing your website, attacks trying to steal product or pricing information for competitive purposes or ransomware attacks where attackers hold the application infrastructure hostage and demand large sums of money to “release” the infrastructure. Often, the most damaging attacks result in application owners losing control and access over their application. These attacks can be perpetrated through the front-end by targeting weak points of the application path, or by sending an inordinate amount of traffic to bring the application down. But they can also come through the backend – by changing the filesystem and inserting malicious code or executables that can be easily exploited. Security solutions must cater to both dimensions of attacks to ensure complete protection.
How to make an e-commerce storefront more secure
Web application security first requires a complete understanding of the different areas of exposure to attacks. Counter-measures then need to be applied to proactively protect against the known list of cyber attacks, while building an effective perimeter to protect against unknown attacks. All of this requires an e-commerce business to have a deep understanding of web application security, research capabilities into security threats on the Internet, real-time monitoring of application traffic, and writing policies to respond effectively when attacked. Often, this is not a core skillset available in many e-commerce businesses, but Webscale can help.
How does Webscale deliver security?
Webscale is the only multi-cloud SaaS solution that can offer true 360-degree web application security, by securing transactions from the browser, to the Webscale data plane and deep into the application infrastructure. This includes monitoring and analysis through machine learning, detection, mitigation and ongoing protection. The deployment is a combination of a decentralized control plane and a distributed data plane that “fronts” application traffic, and real-time backend monitoring and control that protects the application infrastructure (or origin). Threats identified by Webscale are instantly blocked, typically without reaching the application infrastructure, reducing load and future capex spend for your infrastructure as well as protecting your brand and revenue. Malicious file insertions are instantly identified, servers are quarantined and attackers are blacklisted to provide automatic real-time origin infrastructure protection.
The Webscale security toolkit has many features available to address security needs.
Web Application Firewall (WAF)
With its broad experience in the e-commerce space combined with end-end control over hundreds of e-commerce applications on multiple platforms including Magento, WordPress, WooCommerce, Drupal, Joomla, Ruby, Angular and more, Webscale has deployed the world’s only purpose built e-commerce Web Application Firewall.
PCI DSS Compliant
Webscale has been PCI DSS Certified since 2014. As of Dec, 2017, an external Qualified Security Assessor Company (QSAC), RSI Security, has validated that Webscale successfully completed PCI Data Security Standards 3.2 Level 1 Service Provider assessment and were found to be compliant for all the services.
Service provider levels are defined as:
Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually
Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually
HTTPS, HTTP/2 – SSL/TLS
HTTPS transactions have become the standard for the web, especially anything that involves sensitive information like e-commerce transactions. With search engines now using HTTPS as a factor in determining the ranking of your websites, support for HTTPS is no longer an option. Webscale can convert your application infrastructure from HTTP to HTTPS without any changes on your side. We procure digital certificates on your behalf and manage the entire lifecycle of the certificates so you don’t have to do anything. We also maintain the latest versions and ciphers of SSL/TLS, the underlying security layer to all HTTPS web transactions, deprecate the older ones ensuring you always have the strongest level of security. HTTP/2 is the evolution of HTTP and the latest standard of the web, offering vast improvements in performance and in built TLS. Webscale automatically enables HTTP/2 for all customers.
It is critical for the application origin infrastructure to have the same strong protection that the web traffic accessing the application has. This ensures attackers cannot circumvent the cloud security solution and exploit the origin and databases directly. Webscale’s App Shield is a single-click security mechanism that instantly blocks any traffic accessing the infrastructure directly. Any traffic now accessing the application has to pass through the Webscale data plane, WAF and other included security barriers.
Bot IP Shield
Some cyber attacks, initiated by bots, come from well-known sources identifiable by their IP addresses. Such attacks unnecessarily use up computational power, cause undue scaling of resources, increase costs, and more importantly expose the application to exploits that may cause irreparable damage to revenue and brand. Webscale’s Bot IP Shield, available as an add-on and enhanced by WebRoot’s BrightCloud® IP Reputation Service, ensures any malicious IPs, whether repeat offenders or associated with botnets, can be identified in real-time and blocked before accessing the application. This goes above and beyond public static IP lists that are quickly outdated, resulting in false positives and security loopholes.
End-end security means going beyond the Webscale platform and deeper into your application. A common means of cyber exploits occurs at the code level, where malicious agents are inserted into the application infrastructure to take it hostage or steal sensitive information such as credit card and social security numbers. Unlike most cloud SaaS solutions out there, Webscale is the first of its kind to mitigate powerful traffic attacks with file integrity monitoring(FIM). Webscale can constantly monitor and manage any code and asset changes to your infrastructure, alert you of any changes and also automatically quarantine or keep out the malicious agents from infecting the users and traffic.
Targeting cyber threats requires the ability to adapt to the varying nature of attackers, as well as the patterns used to identify them. Many security solutions require the use of a specific language, or they task administrators with the burden of learning of an entirely new language altogether. Webscale’s Web Controls solve this problem by providing a very simple do-it-yourself policy engine that matches on one or more conditions and configures an action associated with the match. With an extremely intuitive user interface (and similarly easy to use API), Web Controls can be used by administrators, support teams, or any Webscale portal user, to configure policies that act on traffic in real-time, and provide the required protection without the need to learn any new skills.
DDoS (Distributed denial of service attacks) have become increasingly prevalent, especially with online retailers. DDoS attacks go after web applications with a deluge of requests from bots, automated software tools on the internet, that attack applications to bring them down and take them hostage in exchange for ransom payments. Webscale’s Shield mode provides one-click instant DDoS protection, requesting validations for human access and keeping out all bots that are attacking the application.
Once a cyber attacker has been identified, Webscale allows you to instantly block (or explicitly allow) users identified by address or device type or country through the powerful access control capabilities, permanently or for a specific period of time.
Through visitor and session analysis we can identify the geographic and device source of each visitor to the site and effectively block regions or entire geographies if they are not relevant or are considered problematic to the business.
Any application can have undiscovered vulnerabilities that may be exploited by attackers. Once these vulnerabilities are exposed, it still takes time between the application vendor creating a fix and you applying the patch. During this window, your application is exposed to attacks and a potential loss in brand and revenue. At Webscale, we solve this problem by having our security team constantly monitor application feeds, then create and apply security policies instantly as vulnerabilities are exposed.